Steven Borg: Welcome to the Art of Digital Disruption. Today, we talk with Ryan McDonald. I wanted to highlight three things that really popped out at me as part of this discussion. All three of them are resources that help you secure and work well in the cloud. He brought up the Center for Internet Security. It’s a public open group of people that establish standards for various clouds for the baseline security that you want to reach with checklist and other sorts of things. I was very impressed by that little piece of information that, I think, will be very useful for folks.

Steven Borg: He also brought up the Cloud Control Matrix by another organization. We talked through that briefly during this podcast as how to know who is responsible for what, making sure that what you are doing security-wise, compliance-wise, as a user of Azure or another cloud platform, is in line with what the cloud platform is expecting. There’s a difference of roles and responsibilities. This helps you make sure that you fall on the right side of that, so you know who is responsible for what.

Steven Borg: And the last point he mentioned, near and dear to my heart because of the DevOps connection, was the Security DevOps Kit for Azure. It’s a group of automation scripts, some policies, things that help secure your DevOps pipeline when you’re working specifically with Azure.

Steven Borg: Those were my top three resources that came out of this discussion. Now, on to the podcast.

Steven Borg: Welcome to the Art of Digital Disruption, my name is Steven Borg. I’m the VP of Innovation at 10th Magnitude. Today, I’m joined by Ryan McDonald, the Director of Managed Services at 10th Magnitude. Ryan, welcome to the Art of Digital Disruption.

Ryan McDonald: Thanks, Steven. Glad to be here.

Steven Borg: Do you mind giving us a little background on who you are, so that people can get to know you.

Ryan McDonald: Sure. I’m Ryan McDonald. I’m Director of Managed Services with 10th Magnitude. I’ve been with the organization almost two years now. I joined on the professional services side, helping customers migrate to Azure, and then had the opportunity to work with Alex and the leadership team to build our managed services practices. Previous to 10th Magnitude, really, my whole career has been 100% focused on building infrastructure, securing it, and managing it.

Steven Borg: This is a really interesting thing for me because we’re here talking about disruption. When I’m looking at the industry, isn’t the managed service just a managed service? What makes a managed service in Azure or in the cloud distinct from the run of the mill managed services that you might find across the globe?

Ryan McDonald: Yeah, it’s a great question. With cloud, really, the way that managed services providers are working with customers has really changed. If you think about traditional managed services providers, it was really an outsourced contract, which involved owning and managing that huge amount of capital requirement for the servers and the infrastructure. These contracts are really designed to manage the risk of deploying new capital in those environments. Really, with those contracts, a lot of the innovation was built in at the beginning. Hey, we’re going to give you new hardware. We’re going to give you new infrastructure. Then, over time, you didn’t get any of that innovation.

Ryan McDonald: With the economics of the cloud, all of that has really shifted because there’s no need for this huge amount of capital to deploy the infrastructure. So, the nature of those contracts with cloud managed service providers has really changed. So really, the focus is on mitigating the competitive risk by providing improved responsiveness, improved speed, and innovation, and really allowing customers scarce human capital to focus on data and applications, and not the maintenance and operation of infrastructure.

Steven Borg: That’s a really interesting pattern for me, because it replicates the difference between how cloud is disrupting internal IT as well, because, like you mentioned, that cycle of maintaining infrastructure. It sounds like if I have a traditional IT vendor, I’m not going to get the latest and greatest updates of every operating system the minute it’s released or those things that we expect in the cloud. Instead, I might be captured to that two-year upgrade cycle or whatnot, the big changes still; whereas, in the cloud, I can move faster, I can hear you saying.

Ryan McDonald: Definitely. Yeah, I mean, with the cloud, and as you know, the ability to leverage the new services and move at a speed which is unheard-of when you think about comparing that to traditional data centers. Really, what you want to do is make sure that your management is aligned to the speed and agility that cloud brings.

Steven Borg: That’s a really interesting point that we talked about with Alex in the previous podcast, which is that speed and agility. If you’re going to be a disruptor in the industry, in your industry, whatever that is, you really need to be able to move quickly. Given that, I want to arm our listeners with some of the things you’ve learned in managing the service. You’ve built it from the ground up and are providing these managed services to customers across the globe. What does it look like, and what have you learned? What are some good practices, or best practices?

Ryan McDonald: Yeah. Definitely, we got a few that I’d love to share with you today. The first one is don’t forget what has served you well. Some of the old rules that traditional IT has used to focus on managing infrastructure still apply. The first is people, process, and technology. It’s an age old adage that we’ve all heard. Really, it’s important with cloud and specifically how you think about management of cloud to address the organizational challenges that your team is going to face. The way that they do things in the cloud will change. If you don’t include process formalization and automation of those tasks, and follow it up with training, really, you’re going to set yourself up for some challenges with managing cloud.

Steven Borg: This is an interesting take because you’re telling me that even in a managed service environment or in a cloud environment, people still matter. I’m not just automating away jobs. You still need to focus on the people in process. You put those before technology.

Ryan McDonald: They definitely do. For me, it always started with people and making sure that you have good process around them. Really, that starts at the top in a lot of organizations. You need buy-in because if that shift and support for the change with cloud doesn’t come from the top, chances are you’re not going to succeed.

Steven Borg: We hear that across the board in all areas of cloud adoption, not just managed services, but the importance of that buy-in at the top and the understanding that things are going to change.

Ryan McDonald: Definitely.

Steven Borg: What else? We’re talking the old rules though. What else applies?

Ryan McDonald: Yeah, definitely. The other is really to base your approach on risk and compliance. This starts to meld in some security conversations and some compliance conversations, but, really, you need to think about management of your infrastructure around security threats, which are most likely to be attacking your infrastructure.

Steven Borg: What other old rules still apply in this new cloud world?

Ryan McDonald: You definitely need to think about management of the cloud and base it on your risk and compliance requirements. First, you really want to prioritize protecting against the security threats that makes sense for your environment. You also want to look at your compliance requirements whether you have PCI or HIPAA requirements. Make sure that you’re understanding those requirements as part of your management of cloud. Then, finally, it’s a great opportunity to re-look at availability and DR requirements for your infrastructure. There’s some great services in the cloud, which will make meeting some of those business requirements a lot easier.

Ryan McDonald: Then, finally, I would say, always stick with the principle of least privilege. It’s easy to get excited about the cloud and start giving people access. Really, you want to make sure that as you go into the cloud, and you think about your long-term management approach, that the principle of least privilege and giving users only the rights they need in the environment is really important.

Steven Borg: Those all sound like really important things we’re carrying over, but I’m sure there’s things that we don’t carry over or that change in the cloud. So, what’s different? You run a pretty innovative managed service in a good way that’s different from what I’ve seen in internal IT shops and other managed services. What do you do to ensure that you’re providing this uptime? What’s different then, than in a traditional data center?

Ryan McDonald: Yeah. It all really starts with your cloud foundation. One of the ways you do that in Azure and other clouds is this concept of an Azure scaffold. Really, what that does is it helps you define your hierarchy for how many subscriptions you’re going to have, what your naming standards are going to look like, how you’re going to apply policies and auditing throughout that hierarchy. As you can imagine, in a larger enterprise, you may have different requirements for different subscriptions and different workloads. You also want to look at things like resource tags and that’s really metadata that you can bring back for reporting and analysis.

Steven Borg: Ryan, running managed services, you’ve learned a lot of interesting stuff that I’m sure is radically different from a traditional data center. How do I ensure that I have the right foundations in place? How do I do things right in the cloud?

Ryan McDonald: Yeah. Really, it starts with that foundation, and what are the ways that a number of customers start to look at that is to use something called the Azure Scaffold. Really, it’s some prescriptive guidance that Microsoft puts out there for all the things that you need to look at in order to have that solid cloud foundation because, as you know, if you’ve got a shaky foundation, then it’s going to translate to your management of the infrastructure.

Ryan McDonald: Some of the things you need to look at is your hierarchy and how you’re going to organize your subscriptions either by business unit or application, how you’re going to name your resources inside of Azure. Naming is really important. I’ve seen it take a long time actually with a lot of customers to get that right. Thinking about how you’re going to apply policies and auditing through your subscriptions to make sure that you’ve got the right guardrails in place. Things like resource tags, and resource groups, and how you’re going to do role-based access control are all really important.

Ryan McDonald: Also, resource locks, these are a construct inside of Azure where you can say put a lock on a resource that you can delete it. Then, finally, how you’re going to provide some of those core networking services throughout some of your subscriptions. We’ve really seen some examples of this through our managed services in environments that we’ve inherited. We had one customer here recently that accidentally deleted a bunch of key resources in a subscription that we were working in. Really, it was because they weren’t following some of those foundational best practices around having resource locks on key infrastructure.

Ryan McDonald: Yes. It was unfortunate. It’s a great lesson learned in reinforcement to make sure that strategy is done at the beginning, so that it’s consistent to your environments.

Steven Borg: A quick question on that. If I’m setting something up, and I’ll use the Azure as the cloud example, if I’m setting something up in Azure, is this a manual checklist I have to go through, or do I set this up with templates, or guidance? Can I restrict it at the subscription? How does this all work, so that I don’t just have rogue people setting something up that doesn’t fit inside of the scaffold?

Ryan McDonald: Yes, definitely. The answer to your question is you can do it through automation, or you can do it manually. Certainly, I would highly recommend that you do this through templates and through automation, so that when you’re deploying new subscriptions and new environments that they can be deployed with your standards, and your policy, and everything in place, so that when you give the environment to application developers to deploy applications and code that they have these guardrails in place for the infrastructure.

Steven Borg: When I hear that, and I’m thinking about disruption and moving quickly, what I’m hearing is if I define some of that upfront, I can then move very rapidly and safely. If I have a template that I know is secured, that I know follows my best practices as an organization, I can then stamp out these new subscriptions, or resource groups, or applications in a very rapid pace without having to constantly come back and worry that I’ve done something incorrectly?

Ryan McDonald: You’re exactly right. I’ve actually seen recent examples with customers that we’re working with that don’t have a fully-baked resource group and subscription model strategy. They’re actually slowing adoption of some new applications and deployment of those applications because they’re struggling with some of these foundational components. Definitely, you’ve got to get it in place at the beginning.

Steven Borg: I hear you. It drives me crazy because when I hear about the scaffold, and then I look back at just some of the places I’ve recently been, we’re waiting two and three weeks to get a virtual machine approved through the standard pipeline to be able to spin something up in Azure. That’s just for a virtual machine, which is a standard secured format that they have a gold template for. I can’t even imagine how long it would take for a brand-new environment to be spun up. That can rapidly accelerate things if you shift to the left hand of that timeline defining this upfront. It means I can move an incredible rate of speed.

Ryan McDonald: Yeah, really, you would take that from weeks to minutes to have all that in place.

Steven Borg: If I do that, then, what’s my risk to security? How do I make sure that I’ve got the right stuff upfront to keep that secure?

Ryan McDonald: Yeah, security is obviously huge when thinking about the cloud and adoption of cloud. Also, as you’re moving fast, you’ve got to really take a security-first mindset. There’s a couple of key pieces here that I want to share. The first is you can do a few simple things and prevent 90% of all security breaches. Really, those are hardened and managed patches, hardened, your virtual machine images, and managed patches for your operating systems.

Ryan McDonald: Second, you want to keep your antivirus and anti-malware current. I know that seems pretty basic, but you’d be surprised how often antivirus and anti-malware aren’t current.

Ryan McDonald: The other one that you would think would be just automatic is that you’ve got to secure your endpoints. Meaning, don’t have open endpoints to the internet for management. We’ve come across a number of environments that we’ve inherited from a managed services perspective, and they had open endpoints to the internet on all of their virtual machines. When we got in and put our monitoring in place, these assets were continually being hacked in brute force trying to break into this. You’ve got to secure your endpoints.

Steven Borg: That’s crazy. I just want to ask, you take over somebody else’s Azure subscription, you start to manage it. As you do that, put your monitoring in place, is it like 1% of customers have a security problem or is it a substantial amount? What does it look like?

Ryan McDonald: It’s a substantial amount. To date, it’s been almost every environment that we’ve inherited has had security issues.

Steven Borg: Oh my goodness.

Ryan McDonald: Yes. It’s scary. Once customers actually see it, it’s number one on the list for us to remediate and secure instantly.

Steven Borg: Listeners, pay close attention to making sure that you have that additional foundation in place. Then, ensure you’ve got that security. Now, how do we know what to check for? I’m sure cloud security is similar in some ways, but different than others to on premises. What do we do?

Ryan McDonald: Well, you have to monitor. That’s the next piece of advice on the list is you’ve got to have visibility into the environment, both at an infrastructure and application level. Then, finally, you want to control your identities. Really, with cloud, thinking about security starts to shift through identity because your users are easy entry points to the environment. We’ve all heard stories about big hacks and everything. All of that starts with compromised credentials of a user. Controlling identity is really critical.

Steven Borg: When I look at Azure Active Directory, some of the machine learning things that go into place for that are maybe impressive or useful as well because I know that if I logged in in one location and then I set my VPN to log me in from another location across the globe, I will very often, get prompted to reenter my credentials. Even if I’m on the same laptop, it says things are a little bit funny. I like that.

Ryan McDonald: It’s a great service. It’s one that we always recommend, multi factor authentication, and some of the advanced security controls around identity can really help increase your security posture around identities.

Steven Borg: Where do I go to find out how to secure this? Do I just keep looking? How do I know what my security stance should be? How do you get guidance? Where do you find that guidance?

Ryan McDonald: Yeah. One area of guidance that’s recent and is available for multiple clouds but has just been released for Azure is The Center for Internet Security, they have released what they call the CIS Azure Foundation’s Benchmarks. Really, it’s a guide to secure Azure. It has a number of key areas around identity, storage, sequel, logging, and monitoring that they give prescriptive guidance for how to secure your Azure infrastructure.

Ryan McDonald: They even break it out into a couple of different levels. They have level one security, which is really good general practices that pretty much everyone should adopt. Then, they have a level two, which is for environments that have a little bit of heightened requirements around security. It’s a great place to start to look at how you can increase your security inside of the Azure cloud.

Steven Borg: Perfect. That’s helpful because that’s a place that we can go right away and just get some best practices in place. Security is one of those things you don’t want to mess around with. Having those best practices is good. Thanks for that. Thanks for that tip, Ryan. What’s next?

Ryan McDonald: Yeah. Modern service management is the next area that I wanted to just briefly touch on. You probably haven’t heard the term modern service management. It’s actually a term that Microsoft coined that really talks about the way that IT service management needs to shift in order to support cloud. They’ve really done a lot of work there. The way it’s structured is they have these design principles with kind of a rationale. Then, they lay out some implications.

Ryan McDonald: Let me give you an example. One of the ways that they say that IT service management needs to shift is that it needs to add customer value. Then, really, whoever your customer is, whether it’s an internal user or it’s another customer, they really want to pay for activities that create business value, not just process for the sake of process. Really, the implication is that you have to transform to take advantage of what the public cloud offers. That’s automation. That’s self-service. That’s rapid deployment. Because you’ve got to change those operational practices from how you were doing them on prem because they’re really not agile enough to deliver the business value that you can achieve in a public cloud.

Steven Borg: I’m going to push back a little here because I’m guessing that the ITSM folks would say that their traditional ITSM is also a focus on customer value. What’s the distinguishing feature of modern service management to a traditional ITSM model?

Ryan McDonald: Well, I think for me, it’s really about automation, and then reevaluation of your business processes and how you can streamline those to really support business demands. I think, a lot of IT service management policies and procedures today were driven through ITIL and what the ideal vision from an IT perspective is. With the shift to cloud and modern service management, it’s really about focusing on the business, and the business needs.

Steven Borg: I took a little bit of a devil’s advocate in that position because I, 100%, have seen this with customers where you mentioned it I think, very concisely – rather than an IT-centric view of the world, we’re looking at customer-centric view. Where I see most very formal ITIL processes fall down as people are moving to the cloud is that it blocks people from getting their work done in a fashion that they think they should be able to get their work done. Then, we end up with shadow IT, and you end up with marketing just saying, “I’ve got a credit card. I can just go and implement this lickety-split, and move out, and do something very rapidly” as opposed to following the traditional processes, which might take months or could be years to get something in place.

Ryan McDonald: Yeah, definitely. A couple of the other areas that are really thinking about modern service management is really how to be design-led, and think about designing for failure, and leveraging the resiliency and scalability of the cloud, so that you can mitigate the impact of those failures rapidly or through automation, so that everything gets restored.

Ryan McDonald: The other one is really a zero touch, and leveraging DevOps, and Agile, and pipeline, so that you are continuously deploying, and really manual involvement isn’t required to manage, deploy, and respond to events in the environment.

Steven Borg: I want to know then, if the cloud is different, where in modern service management do we care about automation? Are we migrating VMs? What’s the stance for ensuring that what we’re doing in the cloud is different where it should be, and the same where it should be? I mean, tell me a little bit about that if you would.

Ryan McDonald: Sure. With automation and that shift to the cloud and that new way of thinking, really, there’s this concept of the shared responsibility model. That means that in the cloud, you have certain responsibilities and Microsoft has certain responsibilities. Understanding that model is important to understanding how your security and management processes are going to shift.

Ryan McDonald: What are the ways that we typically like to work with customers around security is with a tool called the Cloud Control Matrix from the Cloud Security Alliance. If you haven’t heard of that, the Cloud Control Matrix is a common set of controls and controlled details for cloud-specific risks. Basically, they have all these control specifications mapped back to major frameworks like NIST and PCI. Really, the benefit of using that is to make sure that you don’t fail to consider important factors when you think about migrating to the cloud.

Ryan McDonald: The other great resource put out by Microsoft is what’s called an Azure Blueprint Responsibility Matrix. Really, it’s a workbook that contains general guidance for control implementation and responsibility for nonspecific Azure architectures. Again, it’s mapped back to pop or to compliance requirements around FedRAMP, or healthcare, or PCI.

Steven Borg: This is really interesting. You’ve pointed out another good resource that’s a generic resource, general – not just Azure but across the board, that Cloud Security Alliance. That’s an interesting thing. I encourage people to go take a look at that. You mentioned the difference. I’m going to come back to ask you specifically, not just in general, about the difference between the responsibilities of the customer and the responsibilities of Microsoft. Where do you fall? Because you’re running a managed service, what makes this managed service disruptive to the other managed services? What is different about the roles and responsibilities that you take on versus what Microsoft takes on, and a customer traditionally takes on?

Ryan McDonald: Definitely. Really, for me and how we help disrupt through our managed services is through automation. It’s through leveraging platform native tools and frameworks so that we can manage at the speed of business in the cloud, where traditional management policies and processes aren’t really fit for the dynamic nature of cloud. That’s one thing from a management perspective that a lot of customers struggle with. Understanding that shift, and understanding what is your cloud provider doing, and how do your mind management processes need to change.

Ryan McDonald: Let me give you an example. On prem, you want to do a network trace, or you just plug into a network tap, and fire up your sniffer, and you can start capturing packets. In the cloud, you can’t do that. There are ways to do it, but you’ve got to have that management process in place, and understand how that’s shifted, so that you can perform some of those same functions.

Steven Borg: Yeah. I have to jump in because I follow the tickets that come into the managed services. I tap into that. They stream through my inbox whenever there’s tickets. I am shocked at the amount of automation because I’m just going to give you an example.

Steven Borg: In the traditional data center, I would probably be looking at my peak capacity plus 20% on my ISS servers or whatever I’m doing internally and externally to support the load. I’m watching some of the tickets come by, and I’ll see a ticket pop in that says, “Hey, we’re at 95% CPU utilization or 90% CPU utilization.” Not four or five seconds later, the ticket’s resolved, and we’ve bumped up to a different level that we’re serving at. I’m sure you don’t have people sitting there waiting and answering these tickets in four or five seconds. That’s the automation in place.

Ryan McDonald: Definitely. Really, for a lot of the management tasks, resizing of instances, expanding disk space, responding to, “Hey, this endpoint is timing out. Is it just a transient error in the cloud or is this resource really down?” We call automation for all of those alerts. We go do the remediation or additional information gathering, so that if we do need to bring in one of our operations engineers that they’ve got good information from the automation, so they can quickly resolve the issue.

Steven Borg: It’s amazing to me. I love to see that. I’m going to put you on the spot now though because we’ve talked a lot about infrastructure. We’ve talked a lot about security. But when we kicked it off, we talked about how Azure and how managed services in a new model can help accelerate the delivery of customer value. In other words, I want to be able to digitally transform. How do I bring my company that digital transformation? How do you support that? One of the ways that’s near and dear to my heart is the ability to get an application from an idea or checked-in code, all the way through into production. I want to do it safely. Traditionally, I call that my DevOps pipeline, or my continuous delivery pipeline, something like that. How do you interoperate with that?

Steven Borg: I’ve been at many companies working on their software delivery practice, and they had some other managed service in the background. In order for me to deploy into that managed service, we needed to file a ticket, get a schedule, plan for downtime. We had to do all of this craziness just to get an update to production. If I have to do that with you and this managed service, it would kill me. Is there something different there as well?

Ryan McDonald: Definitely. One of the things we want to do is really build in policy and security into those pipelines, so that we’ve got the guardrails in place, so that we can make deployment of infrastructure easy and seamless for the development teams, because what we found is that if you make it too difficult for devs to deploy into cloud, they’re going to go around you. That really benefits nobody.

Ryan McDonald: One of the things we do is we use Azure policy to help with those guard rails, so that we can restrict deployment based on our business requirements. Maybe that’s what specific data centers, the customer wants to be able to deploy into, or what kind of resource types. That way, we know that those policies are in place, so that the development teams are deploying based on our standards.

Steven Borg: I think it’s an important thing to note because what you’re doing is very cloud-centric. I’ve seen this happen at many organizations. It’s, you secure the pipeline, you don’t secure each individual. Too often, I’d see people, “Here’s a brand-new release. Now, we have to go through all of these crazy hoops to secure each and every release.” Now, that prevents you from releasing even weekly in most organizations. Some people want to deploy a lot more often.

Steven Borg: What you’re saying is, and what I see as a good practice is, you back that up, and you said, we’ve got these templates, maybe that scaffolding up in front, those restrictions, and we’re securing the pipeline, so we can be confident that when a developer checks in code and decides to promote that into a test environment, or into an AB test, or even into production, that we can do that in a secure way without having to bring in a lot of overhead each and every time we do that release.

Ryan McDonald: Exactly. The Azure scaffold is important to have the subscription hierarchy, getting all the resource groups, and naming in place. You also have to look at it specifically from a DevOps perspective. One resource that we’ve used in the past that’s worked really well is the Security DevOps Kit for Azure. It’s a collection of scripts, and tools, and automation that really cater towards the security needs of DevOps teams. It leverages automation extensively. Really, it’s about smoothly integrating security into that native DevOps workflow.

Ryan McDonald: It focuses on six key areas. The first is securing the subscription, enabling that secure deployment that you talked about, integrating security into the CI/CD pipeline, providing some continuous assurance, not just doing it once, and making sure that security is being checked continually. Then, finally, looking at alerts, and monitoring, and integrating that back into your overall cloud risk governance framework.

Steven Borg: Very interesting. Again, near and dear to my heart because of my DevOps background. I hadn’t seen this Security DevOps Kit for Azure until talking with you earlier. That’s pretty impressive. Is that something that we bring to our customers relatively easily or is it something they bring to the table? How does that get integrated into my CI/CD pipeline into a managed service that you would offer?

Ryan McDonald: Yeah, definitely. We would bring that as part of our reference architecture for DevOps pipelines into Azure. Obviously, the DevOps Security Kit for Azure is very focused on VSTS and some of the Microsoft technologies, but, certainly, the concepts and a number of the automations could be extended or translated to other CI/CD pipelines as well.

Steven Borg: Very good. Ryan, I think we’re coming to the end of our time. Is there anything you want to wrap up with before we leave?

Ryan McDonald: Yeah, definitely. The last one is automation. This is really key. We talked about it throughout some of the other areas that we spoke of, but it is the secret sauce with the dynamic nature of cloud environments. You’ve got to focus on automation. It’s actually one of the biggest areas of investment that we’re making at 10th Magnitude in our managed services environment, like the example you gave where there’s an alert and then it automatically remediated.

Ryan McDonald: There are several approaches to automation in the cloud. We’re leveraging platform-native tools. Most heavily, things like Azure automation, and PowerShell, and desired state configuration, but there’s also some great third-party tools like Chef and Ansible, which are great solutions to leverage in the cloud as well.

Ryan McDonald: Then, one interesting one that’s come up recently for us is the use of Logic Apps. I’m sure you’re familiar with Logic Apps, but they give you the ability to build and orchestrate workflows. Microsoft has actually done a really great job in extending Azure to Logic Apps, so if there’s an event or there’s an issue, we can send that to a Logic App, and start to really build some robust and complicated workflows in a visual way to make it easy to manage those alerts. Automation, automation, automation. Automate or die.

Steven Borg: Automate or die.

Ryan McDonald: Yeah.

Steven Borg: I’m with you there too. I have that feeling of Wizard of Oz and clicking the ruby heels together. Automation, automation, automation. There’s no place like automation.

Ryan McDonald: Exactly.

Steven Borg: I want to encourage people, just as we’re wrapping, Ryan. I want to encourage people to go out and check out our Azure Security Guide. Some of these ideas, Ryan, I believe you wrote it. It’s a whitepaper we have available for folks. It’s at 10thMagnitude.com/Security. I would encourage people to go out and check that out. It’s an excellent resource. It covers some of the things you talked about. It’s one of the reasons that triggered me to want to have you on, Ryan. It’s an excellent piece of work.

Ryan McDonald: Yeah, thank you. It’s a great guide. It’s a little bit more security-focused. Obviously, security and management go hand in hand. That guide will give you a little bit deeper dive into some specific security practices and recommendations when thinking about Azure and the cloud.

Steven Borg: Right. Like you mentioned, every time you take over a new subscription, you most often run into some kind of security flaw somewhere, something that needs to be remediated. Getting your advice on this and learning from you, I think would be a wonderful opportunity for folks out there who are trying to secure their Azure subscriptions, as well as looking into managed service providers potentially who can offload some of that work for them.

Steven Borg: Ryan, thank you very much. Everyone, looking forward to talking to you soon on the next week’s podcast on the Art of Digital Disruption.

Steven Borg: Thanks for listening to the Art of Digital Disruption. With 10th Magnitude, we’re proud to create the path for organizations to stay competitive and disrupt their industries, reaching new heights through cloud-enabled innovation. Before you leave, go download Leading in the Intangible Economy. It will help you lead the charge to digital innovation. Get the guidebook at www.10thMagnitude.com/guidebook.

Visit our Managed Services page to learn more about how 10th Magnitude delivers agility, security, cost management, and stability in your cloud environment so you can focus on what you do best–run your business and innovate.